In this executable that was largely C++ with RTTI, this plug-in added a lot of contextual class data.
Plus in this case added a good amount of clean-up as the result of properly identifying and placing various RTTI data structures.
Typically when IDA sees previously unknown data now defined it will automatically reanalyze associated areas that can result in yet more data references and previously unknown functions being found. Removes more of the "unknown".

Version 1.06
Quote:
1.06 - 1) Added persistent vftable list storage.
2) Removed the many unnecessary "autoWait()" calls that caused a bit of a slow down.
3) Fixed broken and updated some custom UI elements.
4) Fixed the multi-segment select feature for the non-QT version and
added a working setup for the QT version too. For QT, after desired
segments are selected right click on the list and do "Select"
followed by the "Okay" button.
5) Added the ".data" segment to the default data search since vftables
are often located there (in addition to ".rdata").

1.05 - 1) The problem with the plug-in not being ready on invocation was fixed
by returning PLUGIN_KEEP on init to stay resident.
2) The fix in 1.04 didn't quite do it for structure placement problems.
In particular there remains a run on problem in IDA when marking some
areas "unknown"; these "do_unknown()" calls have been removed and
each structure element is individually placed one by one before
attempting to place the actual assorted structures.

1.04 - 1) Now ensures RTTI type name strings are set.

1.03 - 1) Added check and warning message for invalid start and end addresses
with "_initterm" type static/global ctor & dtor tables.
Would cause a negative count run-on condition that could trample over
a large data area.
2) UI customizations auto-disabled when using IDA Qt version.
3) Current IDA view is refreshed on completion to show changes.
4) Fixed a stall that could result from repeated failed attempts at an
RTTI type placement. Plus fixed the pattern for these so they could
be properly placed.

1.02 - 1) Added user code and data segment selector.
Allows user to select multiple data and code segments instead of the
default of ".text" and ".rdata" by name.
For those rare executable targets that have multiple code sections,
and, or, unpacked executables with mixed segments, etc.
2) Added config option for verbose output to the debugger channel.
3) Improved overall processing speed.
4) Since there can multiple instances of the same class or structure,
and IDA names must be unique all duplicate names are now serialized.
More things labeled, and no more "duplicate name" warning spam.
Note: Effects only label names, commented names are not altered
5) Updated to IDA SDK 5.5
6) Added links to Sirmabus IDA plug-ins support forum.

1.01 - 1) No longer pops up an error and exits IDA when an incompatible IDB is
loaded. Just displays a "not loaded" log message now.
2) Fixed IDA tab page update issue.
3) Now built with IDA SDK 5.4, and tested with IDA 5.4.
4) Fixed incorrect string placement in the RTTI type info struct.
Now the structures are right which make a cleaner DB.
This was a major bottleneck that caused the structure placement to be
about 36x slower, now only about 1x.
5) Fixed some misspellings.

Techbliss OwnerAdminIda Pro ExpertDeveloper

2.0 - A complete overhaul of the entire plug-in.
1) Updated namings to better match that of Microsoft's internals.
2) Moved custom type creation out of the init() call; now gets created
only on the first run and only if the "Place structures" option is
checked.
3) Descriptive comments are now placed on C/C++ initializer and
terminator table start and end points.
4) The UI is now a custom Qt one with "material design" elements.
5) Added a 64bit (32bit IDA's "__E64__") version.
6) The RTCI (rare MS MFC type) support was removed.
7) Now locates vftables by RTTI "Complete Object Locator" structures
directly.
8) Updated to IDA SDK 6.7 version.
9) No longer has a default hotkey. Set your own using "plugins.cfg".
10) Updated and improved the static ctor/dtor processing.

Active Member

could we have a 1 method at a line?
current approach of ClassInformer that class methods like array vars
is not very readable.....
eg: http://prntscr.com/7cqr0v
would be nice to have 1 method per row
or make such an option (checkbox) to the end user...

could we have a 1 method at a line?
current approach of ClassInformer that class methods like array vars
is not very readable.....
eg: http://prntscr.com/7cqr0v
would be nice to have 1 method per row
or make such an option (checkbox) to the end user...

Click to expand...

Took me a second there to see what you were saying..
That's strange, I havn't seen IDA make vftables into an array like that before.
Anyone else have methods like this convert to an array?
The only way I could duplcate the effect was to manually select a method, right click and do "array" with a count.

The plug-in doesn't call any "make array" function.
It's probably something to do with either your IDA "General Options" or one of your "kernel" options.

Active Member

Hi
thanks for the answer
you are right...... thats not the plugin making the array of 3 items per row
thats IDA doing that strange things..
Having hundreds of vtables inside the DB is it a really PITA to do it by hands.....

I"ve followed your hint but
I did not find any options (General, Kernel 1 or 2) that might influence the default array creation mode.
Does it make any sense to put the *normalizing* of vtable outline to a normal, readable 1 item per row?

Now, returning back to your idea,
could you make some hint here regarding Python script, whats the general idea to find these vtables arrays,
does IDA understand that these are not just arrays, but vtable types>.....?

Techbliss OwnerAdminIda Pro ExpertDeveloper

Active Member

sure, that works fine, but having hundreds of vtables thats a real PITA work......
my goals are: understand why IDA does the array by default
try to convince the author of this great plugin to do improvements
cheers

Active Member

Before you go to fix it, try to understand the root cause of the issue
1) check the export from your copy of .p64 file
2) check the run of IDA using procmon - check how the library being LoadLibrary-ied, etc
3) try to sniff the API flow using some API Sniffer/tracer